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Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1 .121 (d). 
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DETAILED ACTION 



Remarks 



1. In response to communications filed on 27 June 2006, claim(s) 1-8, 10-18 and 
20-31 is/are amended per Applicant's request. Therefore, ciaims 1-31 are presently 
pending in the application, of which, claim(s) 1, 11, 21 and 24 is/are presented in 
independent form. 

2. In light of Applicant's amendments, the objections to the claims have been 
withdrawn. In light of Applicant's amendments and arguments, the rejections under 35 
U.S.C. 101 have been withdrawn. 

Claim Rejections - 35 USC § 102 

* 

3. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public 
use or on sale in this country, more than one year prior to the date of application for patent in the United 
States. 

4. Claims 1-31 are rejected under 35 U.S.C. 102(b) as being anticipated bv Damiani 
et al. ("Design and implementation of an access control processor for XML documents", 
Published in "Computer Networks", Vol. 33, Issues 1-6, Pages 59-75. Available online at 
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at http://www.sciencedirect.com/science?_ob=Mlmg&jmagekey=B6VRG-40B2JGR-7- 
Y&_cdi=6234&_user=2502287&_orig=browse&_coverDate=06%2F30%2F2000&_sk=9 
99669998&view=c&wchp=dGLbVlb- 

zSkzk&md5=ccc8253d4443baa1b88aed3a8262a7b9&ie=/sdarticle.pdf). 

As to claim 1 , Damiani et al. teaches a method for performing path-level access 
control evaluation for a structured document, wherein the structured document 
comprises a plurality of nodes and each of the plurality of nodes is described by a path 
(see page 63, section 3.1, "Identifying authorization objects via path expressions"), the 
method comprising the steps of: 

a) storing an access control statement in a cache entry (see page 68, section 

i 

5.3, "Performance and caching") for a path associated with a node of the plurality of 
nodes (see page 65, section 3.1, "Identifying authorization objects via path 
expressions"); 

b) receiving a query, wherein the query comprises a request to access the node 
(see page 67, section 5, "Design and implementation guidelines", paragraph 2, lines 6- 

9); 

c) checking the cache entry for the path associated with the node (see page 66, 
section 4, "Authorization enforcement", lines 10-13 and page 68, section 5.3, 
"Performance and caching", lines 11-12); and 
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d) granting or denying access to the node based on the access control statement 
in the cache entry for the path associated with the node (see page 66, section 4, 
"Authorization enforcement", lines 1-5). 

As to claims 2, 12 and 28, Damiani et al. teaches wherein the access control 
statement is one of a grant statement (see page 66, section 4, "Authorization 
enforcement", line 32, "V (permission)"), a deny statement ("'-' (denial)"), an unknown 
statement (line 33, '"£' (no authorization)") and a data-dependent statement (see page 
63, section 3, "Authorizations", bullet-point 1 , where "data-dependent statement" is read 
on "specific documents"). 

As to claims 3 and 13, Damiani et al. teaches wherein step (d) further comprises: 
(d1) granting access to the node responsive to the access control statement 
being a grant statement (see page 66, section 4, "Authorization enforcement", lines 1- 

5). 

As to claims 4 and 14, Damiani et al. teaches wherein step (d) further comprises: 
(d1) denying access to the node responsive to the access control statement 
being a. deny statement (see page 66, section 4, "Authorization enforcement", lines 1-5). 
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As to claims 5 and 15, Damiani et aj. teaches wherein step (d) further comprises: 

(d1) evaluating an access control policy affecting the path in response to the 
access control statement being an unknown statement (see page 68, section 5.3, 
"Performance and caching", line 1 - page 69, line 5); 

(d2) granting access responsive to a result of the evaluation granting access (see 
page 66, section 4, "Authorization enforcement", lines 1-5); and 

(d3) denying access responsive to the result of the evaluation denying access 
(see page 66, section 4, "Authorization enforcement", lines 1-5). 

As to claims 6 and 16, Damiani et al. teaches further comprising: 

(e) determining whether the access control policy affecting the path is data- 
dependent (see page 63, section 3, "Authorizations", bullet-point 1, where "data- 
dependent" is read on "instance"); 

(f) changing the access control statement in the cache entry from the unknown 
statement to a grant statement or a deny statement based on the evaluation in 

* 

response to the access control policy being data-independent (see page 68, section 5.3, 
"Performance and caching", line 1 - page 69, line 5); and 

(g) changing the access control statement in the cache entry from the unknown 
statement to a data-dependent statement in response to the access control policy being 
data-dependent (see page 68, section 5.3, "Performance and caching", line 1 - page 
69, line 5). 
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As to claims 7 and 17, Damiani et al. teaches wherein step (d) further comprises: 

(d1) evaluating an access control policy affecting the path in response to the 
access control statement being a data-dependent statement (see page 63, section 3, 
"Authorizations", bullet-point 1, where "data-dependent" is read on "instance"); 

(d2) granting access responsive to a result of the evaluation granting access (see 
page 66, section 4, "Authorization enforcement", lines 1-5); and 

(d3) denying access responsive to the result of the evaluation denying access 
(see page 66, section 4, "Authorization enforcement", lines 1-5). 

As to claims 8 and 18, Damiani et al. teaches further comprising: 

(e) repeating steps (c) and (d) for a next node in the plurality of nodes (See page 

69, lines 2-5, section 5.3, "Performance and caching". The entire document is 

transformed, so each node must be transformed). 

As to claims 9 and 19, Damiani et al. teaches wherein evaluating step (d1) 
further comprises: 

(d1i) evaluating a value expression for the path associated with the node, 
wherein the value expression is an executable statement based on the access control 
policy affecting the path and indicates who has access to the node (see page 70, 
section 6.1, "The role of encryption"). 
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As to claims 10 and 20, Damiani et al. teaches wherein steps (c) and (d) are 
performed during run-time (See page 68, section 5.2, "Execution phases", column 2, 

* 

final paragraph. It is implied that the execution steps take place on-demand; that is, at 
run-time.). 

As to claim 1 1 , Damiani et al. teaches a computer readable medium containing a 
computer program for performing path-level access control evaluation for a structured 
document, wherein the structured document comprises a plurality of nodes and each of 
the plurality of nodes is described by a path (see page 63, section 3.1, "Identifying 
authorization objects via path expressions"), the computer program comprising 
programming instructions for: 

For the remaining steps of this claim applicant(s) is/are directed to the remarks 
and discussions made in claim 1 above. 

As to claim 21, Damiani et al. teaches method for performing path-level access 
control evaluation for a structured document, wherein the structured document 
comprises a plurality of nodes and each of the plurality of nodes is described by a path 
(see page 63, section 3.1, "Identifying authorization objects via path expressions"), the 
method comprising the steps of: 

■ 

a) storing an access control statement in a cache entry for a path associated 
with a node of the plurality of nodes (see Examiner's comments regarding claim 1), 
wherein the access control statement is one of a grant statement, a deny statement, an 
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unknown statement and a data-dependent statement (see Examiner's comments 
regarding claim 2); 

b) receiving a query, wherein the query comprises a request to access the node 
(see Examiner's comments regarding claim 1); 

c) checking the cache entry for the path associated with the node (see 
Examiner's comments regarding claim 1); 

d) granting access to the node responsive to the access control statement being 
a grant statement (see Examiner's comments regarding claim 3); 

e) denying access to the node responsive to the access control statement being 
a deny statement (see Examiner's comments regarding claim 4); and 

f) evaluating a value expression for the path associated with the node to produce 
a result in response to the access control statement being an unknown statement or a 
data-dependent statement (see Examiner's comments regarding claim 2), 

wherein the value expression is an executable statement based on an access 
control policy affecting the path and indicates who has access to the node (see 
Examiner's comments regarding claim 1). 

As to claims 22 and 25, Damiani et al. teaches further comprising: 

g) granting or denying access to the node based on the result of the evaluation 
(see page 66, section 4, "Authorization enforcement", lines 1-5); 

h) changing the access control statement in the cache entry from the unknown 
statement to a grant statement or a deny statement based on the result of the 
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evaluation in response to the access control policy being data-dependent (see page 68, 
section 5.3, "Performance and caching", line 1 - page 69, line 5); and 

i) changing the access control statement in the cache entry from the unknown 
statement to a data-dependent statement in response to the access control policy being 
data-dependent (see page 68, section 5.3, "Performance and caching", line 1 - page 
69, line 5). 

As to claims 23 and 26, Damiani et al. teaches further comprising: j) repeating 
steps (c) through (i) for a next node in the plurality of nodes (See page 69, lines 2-5, 
section 5.3, "Performance and caching". The entire document is transformed, so each 
node must be transformed). 

As to claim 24, Damiani et al. teaches a computer readable medium containing a 
computer program for performing path-level access control evaluation for a structured 
document, wherein the structured document comprises a plurality of nodes and each of 
the plurality of nodes is described by a path (see page 63, section 3.1, "Identifying 
authorization objects via path expressions"), the computer program comprising 
programming instructions for: 

For the remaining steps of this claim applicant(s) is/are directed to the remarks 
and discussions made in claim 21 above. 
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As to claim 27, Damiani et al. teaches a system for performing path-level access 
control evaluation for a structured document, wherein the structured document 
comprises a plurality of nodes and each of the plurality of nodes is described by a path 
(see page 63, section 3.1, "Identifying authorization objects via path expressions"), the 
system comprising: 

For the remaining steps of this claim applicant(s) is/are directed to the remarks 
and discussions made in claim 21 above and see also Figure 1. 

As to claim 29, Damiani et al. teaches further comprising: 

an access control mechanism coupled to the database management system, the 
access control mechanism being operable to determine access control to the node 
responsive to the access control statement being an unknown statement (see 
Examiner's comments regarding claim 5) or a data-dependent statement (see 
Examiner's comments regarding claim 6). 

As to claim 30, Damiani et al. teaches wherein the access control mechanism is 
further operable to generate a value expression for the path associated with the node 
based on an access control policy affecting the path, and wherein the database 
management system is further operable to evaluate the value expression for the path to 
determine whether to grant or deny access to the node (see Examiner's comments 
regarding claim 9). 
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As to claim 31 , Damiani et al. teaches wherein the database management 
system is further operable to change the access control statement in the cache entry 
from the unknown statement to a grant statement or a deny statement based on a result 
of the evaluation of the value expression responsive to the value expression for the path 
being data-independent and to change the access control statement in the cache entry 
from the unknown statement to a data-dependent statement responsive to the value 
expression for the path being data-dependent (see page 70, section 6.1 , "The role of 
encryption" and see page 68, section 5.3, "Performance and caching", line 1 - page 69, 
line 5). 

Response to Arguments 

5. Applicant's arguments filed on 27 June 2006 with respect to the rejected claims 
in view of the cited references have been fully considered but are not deemed 
persuasive. 

In response to Applicant's arguments that "Damiani does not disclose, teach, or 
suggest "storing an access control statement in a cache entry for a path associated with 
a node of the plurality of nodes"", the arguments have been fully considered but are not 
deemed persuasive. Applicant argues that Damiani et al. teaches storing the "structured 
document" (XML file) and not the "access control statement". The cache of Damiani et 
aL does not store the structured document in un-parsed, "plain-text" form (page 68, 
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section 5.2, step 4, "Unparsing"); the structured document is "parsed, labeled, [and] 
transformed" and stored in a data structure when cached. See page 69, column 1, lines 
2-5. The term "otherwise" implies that the cache stores documents in a data structure 
and not plain text. Fig. 5 clearly indicates the "transformed" document being parsed into 
trees comprised of nodes (see Figure 5, the tree to the left of box "3. transformation"). 

In response to Applicants arguments that Damiani et al. "does not disclose, 
teach, or suggest "granting or denying access to the node based on the access control 
statement in the cache entry for the path associated with the node," as recited in claim 
1 , since it only discusses using DTD-level and document-level authorizations to 
determine what a requester sees", the arguments have been fully considered but are 
not deemed persuasive. After the cited portion of the reference, Damiani et al. goes on 
to say "the analysis [...] produces an access decision (access or not access) on each 
node of the document" (emph. added. See page 66, section 4, lines 16-19). Section 4, 
when considered in its entirety, contains several such references to per-node access 
control assignments. For example, see page 66, column 2, number (1), "Authorizations 
on a node", emph. added. 

Conclusion 

6. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 .136(a). 
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A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

7. Any inquiry concerning this communication or earlier communications should be 
directed to the examiner, Mark A. Radtke. The examiner's telephone number is (571) 
272-7163, and the examiner can normally be reached between 9 AM and 5 PM, 
Monday through Friday. 

If attempts to contact the examiner are unsuccessful, the examiner's supervisor, 
Jeffrey Gaffin, can be reached at (571) 272-4146. 

Any inquiry of a general nature or relating to the status of this application or 
proceeding should be directed to Customer Service at (800) 786-9199. A 



maxr 



// JJFPSW WlM 
SUPERVISORY PATENT EXAMINER 
TECHNOLOGY CENTER 2100 




12 September 2006 



r 



